Improve web api protect (#6343)
This commit is contained in:
parent
204d72fbe4
commit
897199910f
9
app/controllers/api/web/base_controller.rb
Normal file
9
app/controllers/api/web/base_controller.rb
Normal file
@ -0,0 +1,9 @@
|
||||
# frozen_string_literal: true
|
||||
|
||||
class Api::Web::BaseController < Api::BaseController
|
||||
protect_from_forgery with: :exception
|
||||
|
||||
rescue_from ActionController::InvalidAuthenticityToken do
|
||||
render json: { error: "Can't verify CSRF token authenticity." }, status: 422
|
||||
end
|
||||
end
|
@ -1,6 +1,6 @@
|
||||
# frozen_string_literal: true
|
||||
|
||||
class Api::Web::EmbedsController < Api::BaseController
|
||||
class Api::Web::EmbedsController < Api::Web::BaseController
|
||||
respond_to :json
|
||||
|
||||
before_action :require_user!
|
||||
|
@ -1,10 +1,9 @@
|
||||
# frozen_string_literal: true
|
||||
|
||||
class Api::Web::PushSubscriptionsController < Api::BaseController
|
||||
class Api::Web::PushSubscriptionsController < Api::Web::BaseController
|
||||
respond_to :json
|
||||
|
||||
before_action :require_user!
|
||||
protect_from_forgery with: :exception
|
||||
|
||||
def create
|
||||
active_session = current_session
|
||||
|
@ -1,6 +1,6 @@
|
||||
# frozen_string_literal: true
|
||||
|
||||
class Api::Web::SettingsController < Api::BaseController
|
||||
class Api::Web::SettingsController < Api::Web::BaseController
|
||||
respond_to :json
|
||||
|
||||
before_action :require_user!
|
||||
|
@ -36,7 +36,7 @@ const subscribe = (registration) =>
|
||||
const unsubscribe = ({ registration, subscription }) =>
|
||||
subscription ? subscription.unsubscribe().then(() => registration) : registration;
|
||||
|
||||
const sendSubscriptionToBackend = (getState, subscription) => {
|
||||
const sendSubscriptionToBackend = (subscription) => {
|
||||
const params = { subscription };
|
||||
|
||||
if (me) {
|
||||
@ -46,7 +46,7 @@ const sendSubscriptionToBackend = (getState, subscription) => {
|
||||
}
|
||||
}
|
||||
|
||||
return api(getState).post('/api/web/push_subscriptions', params).then(response => response.data);
|
||||
return api().post('/api/web/push_subscriptions', params).then(response => response.data);
|
||||
};
|
||||
|
||||
// Last one checks for payload support: https://web-push-book.gauntface.com/chapter-06/01-non-standards-browsers/#no-payload
|
||||
@ -85,13 +85,13 @@ export function register () {
|
||||
} else {
|
||||
// Something went wrong, try to subscribe again
|
||||
return unsubscribe({ registration, subscription }).then(subscribe).then(
|
||||
subscription => sendSubscriptionToBackend(getState, subscription));
|
||||
subscription => sendSubscriptionToBackend(subscription));
|
||||
}
|
||||
}
|
||||
|
||||
// No subscription, try to subscribe
|
||||
return subscribe(registration).then(
|
||||
subscription => sendSubscriptionToBackend(getState, subscription));
|
||||
subscription => sendSubscriptionToBackend(subscription));
|
||||
})
|
||||
.then(subscription => {
|
||||
// If we got a PushSubscription (and not a subscription object from the backend)
|
||||
@ -134,7 +134,7 @@ export function saveSettings() {
|
||||
const alerts = state.get('alerts');
|
||||
const data = { alerts };
|
||||
|
||||
api(getState).put(`/api/web/push_subscriptions/${subscription.get('id')}`, {
|
||||
api().put(`/api/web/push_subscriptions/${subscription.get('id')}`, {
|
||||
data,
|
||||
}).then(() => {
|
||||
if (me) {
|
||||
|
@ -24,7 +24,7 @@ const debouncedSave = debounce((dispatch, getState) => {
|
||||
|
||||
const data = getState().get('settings').filter((_, path) => path !== 'saved').toJS();
|
||||
|
||||
api(getState).put('/api/web/settings', { data })
|
||||
api().put('/api/web/settings', { data })
|
||||
.then(() => dispatch({ type: SETTING_SAVE }))
|
||||
.catch(error => dispatch(showAlertForError(error)));
|
||||
}, 5000, { trailing: true });
|
||||
|
Loading…
Reference in New Issue
Block a user